Forum Discussion

ukhan20's avatar
ukhan20
Icon for Altostratus rankAltostratus
Dec 16, 2024

DDoS Two-Layer Architecture

How to achieve this two-layer with one arm deployment L3/l4 (AFM) and L7 (WAF) for PoC . i have F5 VIPRION 4450 blade with VCMP enable license and others too.

  • Hi ukhan20

    What is the problem to achieve that. 

    One Arm deployment isn't a limitation for that 
    you can configure L3/L4 as well as L7 DDoS protection , just you need provision AFM and choose security Turboflex profile then provision ASM or AWAF License. 
    Then you can configure whatever you need. 

    Even you can configure AFM DoS protection in ( Device and Protected objects level ) and use AWAF l7 DoS as well. 

     

    Could you clarify what challenging you in this deployment.

    maybe this will not be a two-tire deployment as you will have AFM DOS and AWAF DoS on the same BIGIP, I mean you will do all in the same tire or layer. 

    if you want to achieve the multi-tire deployments 
    you have to use two devices, one for AFM and the other one for AWAF close to DMZ or application servers. 

    • June48's avatar
      June48
      Icon for Nimbostratus rankNimbostratus

      Thank you for share this information

  • I'm new to this, so I appreciate your patience.

    Client traffic first passes through VM1 (AFM for L3/L4) on the VCMP-enabled VMs, then to VM2 (WAF for L7), and finally reaches the server. This process is achieved through a one-arm configuration, as shown in the screenshot. ( how to achive this , i am aware to AFM at L3 and L4)

    If there's no need for inspection by VM2 (WAF), the traffic goes directly from VM1 (L3/L4) to the server.

    Could you please confirm if this setup is correct?

    • Hi ukhan20
      No worries brother. 

      I just need to understand , you want to apply the two tiers in one device "VIPRION" Chassis or what. 

      If you want to allocate two vCMP guests one for AFM and the other for AWAF , I believe you need at least 2 separate VLANS , you will work in One-arm deployment on each VM/Guest 

      For Example , I Drew this design for you: 

      This is in case you want to split your Viprion into two Guests ( One for AFM and the other for ASM ) , you can deploy it in one arm for each Guest but you need two VLANs , as I described in the above traffic flow.

      again, you can do the same deployment using only one VLAN and One ARM , but you have to use only on Guest with much resources and in this Guest you will provision ( AFM and AWAF ) and then move forward with this. 

      So Let me know if the above approach works with you or not 
      and I will discuss with you , how to configure AFM and AWAF to achieve this. 
      Configs aren't the hard part but the putting the proper design is the most challenging thing.

      So have a look deeply in my design and Traffic flow above and discuss it with me if you wish.

      • ukhan20's avatar
        ukhan20
        Icon for Altostratus rankAltostratus

        I came across the terms 'one-arm' and 'two-arm,' and I want to align this with the solution. I'll be implementing this on the chassis.

        All the steps are clear to me.

        Looking at this diagram, I am creating two VMs to provide different services: AFM (L3/L4) and WAF (L7).

        If the customer requires only L3/L4 services, I can route the traffic to AFM (VM guest 1). If the customer requires both services, I can route the traffic to both VMs. In this case, traffic flows from the client to the server through the AFM and WAF solution. However, I also need to ensure that traffic flows back from the server to the client (i.e., I need two-way traffic)

  • Hi ukhan20

    Different approach...

    Let me summary what one-arm mode is 

    In a one-arm deployment, all traffic flows through the BIG-IP system using a single network interface. The system inspects and processes the traffic but does not perform full routing.

    • Ingress and Egress Traffic: Both incoming and outgoing traffic use the same interface.
    • This simplifies the setup for PoC purposes and allows easy testing of DDoS mitigation at multiple layers (L3/L4 and L7).

    Enable and Configure vCMP

    Since your VIPRION 4450 supports vCMP (virtualized BIG-IP instances):

    1. Create two guest instances:
      • One for AFM (L3/L4 DDoS protection).
      • One for AWAF (L7 WAF protection).
    2. Assign appropriate resource allocations (CPU, memory, and bandwidth) to each guest.
    3. Configure VLANs or interfaces for traffic flow within the virtual guests.

    Deploy L3/L4 DDoS Protection with AFM

    Configure AFM (Advanced Firewall Manager) to mitigate DDoS attacks at the network tier (L3/L4):

    Steps:

    1. Navigate to Security >> DoS Protection >> Network Protection.
    2. Enable DoS Protection on the Virtual Server handling traffic for the network tier.
    3. Create and apply DoS Profiles:
      • Enable protections like SYN Flood, UDP Flood, ICMP Flood, and DNS Amplification.
      • Set rate limits and thresholds to mitigate volumetric attacks.
    4. Configure IP Intelligence to detect and block malicious IPs automatically.

    Key Notes:

    • Attach a DoS Profile to the wildcard or relevant Virtual Server.
    • Use Threshold Settings for traffic baselining.

    So, to test...

    • Simulate different DDoS attack vectors:
      • Network Layer (L3/L4): Use tools like hping3, LOIC, or similar for SYN floods, UDP floods, etc.
      • Application Layer (L7): Use tools like slowloris, apache benchmark, or HTTP GET/POST floods.
    • Monitor traffic behavior using Dashboards:
      • AFM → Security >> DoS Protection >> DoS Dashboard.
      • AWAF → Security >> Application Security >> Charts and Reports.
    • Verify:
      • Traffic at the network tier is mitigated by AFM.
      • Legitimate traffic continues to flow through AWAF for L7 protection.

    If you need anything, do not hesitate to come to here.

     

    Harun

  • is your company a network service provider?
    if it isnt, volumetric dos will make your wan links full well before viprion vserver is overwhelmed.
    and ltm/asm http/s vserver by default acts as L4-7 filter that only forwards healthy client requests (not simply connection) to backend servers.